Security geek who writes about whatever comes to his mind: almost nothing :-)

Monday, October 21, 2013

More defense, and real meat

There was an interesting blog post from Rich Mogull a few months ago about the security community not putting enough effort on defense related research as we normally see for offense. As he quite rightly points out, "breaking things is, in many ways, far less challenging than protecting them. I am sick and tired of seeing researchers and pen testers on various mailing lists brag about how easy it is to get into their clients’ systems. I suspect the ones who understand the complexity of defending complex environments with limited resources keep their mouths shut".

Not that there isn't any defense related content being presented out there; you'll see plenty of defense content in the major security conferences agendas, but for some reason it's still hard to find stuff that is immediately implementable. Think about it, how many times have you been able to come back from a security conference with stuff ready to be used by your organization? I understand that we need to adapt things to the specifics of each environment and there are a lot of nice ideas that although not immediately applicable will still drive change to practices and move things forward by affecting the way people think about problems and solutions. But we are missing real meat, things that could help security professionals to justify their presence in those events.

Most of those events include the offense side. Defcon, for example, has a huge focus on that and I don't think it would make sense to try to change that, it's part of that conference identity. But, even on cases like RSA, where there are lots (I would say the majority) of defense content, we are still missing the part related to implementable content. I;m not saying those discussion panels, threat evolution assessments are not useful, but they serve a different purpose, keeping the minds of the security community aware of the changes and evolution of our world. That's very important. Still, there's still a gap between that and the offense piece that needs to be filled.

There are some forums and events with that kind of content. SANS conferences are probably a notable case. The things I've seen being presented on the different b-sides events are also interstingly more aligned to implementable content. Vendor conferences are also good with that; one of the major challenges is present content useful for organizations and vendors can show things closer to the implementation level by leveraging their own tools and showing how to use their cool features. But still, it's a very limited audience and content framework (they won't show stuff that can't be done with their products :-)).

There are some good examples of online forums and resources with actionable defense content. The IDS signature databases started a trend of blacklists and crowdsourced resources that made a lot of good stuff for defenders to use in their day to day, but there's still room between tht kind of content and the more inspirational stuff from talks and panels at RSA. There's still so much to share out there. Imagine if we could go to a conference where the content is mostly stuff we can immediately start using in our organizations and generating immediate value. I'm talking about a security conference where the criteria for accepting content would be:

D: Defense. This is the basic. The content should be related to defense techniques, not offense. If you want to break stuff go to Defcon and BlackHat.

A: Actionable. Stuff that you can go back home and start using. It doesn't necessarily mean technology, it can be a risk assessment method or a new way to write security policies. Interesting technology pieces would be new open source security tools, SIEM rules and new ways to integrate existing tools.

M: Measurable. And, by the way, how do we know if this stuff is actually working? This would force speakers to show how they concluded their stuff is worth trying. Have they found stuff that was previously unnoticed on their networks? Have they somehow managed to validate the magical numbers from their risk assessment?

I would call this new conference DAMSEC :-)

To better illustrate the idea, here are some talks from past conferences that would nicely fit into DAMSEC's track: